I'm working on a side project (no, not that one) with a friend, and I just caught myself following some really bad practices (and I fixed an SQL Injection vulnerability, oh my!). I was doing something that appears pretty benign: I'm letting users rate content by clicking on an image, or a link for "No Rating" or Spam. They're all regular anchor links that link back to the page itself, with information embedded into GET on which item was being rated, and a nonce for csrf protection (else you could (if you were sneaky enough) make everyone rate your content well with a CSRF attack embedded into your own page).
Did you catch the problem? (after the jump)

The problem here is how I'm letting "people" rate the content, an anchor link. Sure it's quick, easy and it works, but it's bad. The HTTP spec calls for GET to be "Safe", which is somewhat loosely defined, but this most definetly doesn't fit. Rating an item has a lasting effect, the site remembers your rating, spam ratings are measured against the content to remove items etc. Fixing this took a bit of work on my side, switching the simple anchor tags to be form buttons, with data embedded into the name, but it's a really good idea. Search engines, and other spiders are smart enough not to POST data, but following regular anchor links is their job. If I had left it as is the next (first?) time the site got spidered the bot would have gone through and rated every single post with every single possible rating.

Comments »

Buy valium.
Buy valium. Buy valium c.o.d.. Buy c.o.d. valium. Buy valium online wholesale prices save up to no. Buy valium pay cod overnight delivery.
Weblog: Buy valium.
Tracked: Dec 18, 10:24
Valium no prescription.
Valium no prescription. Cheap valium no prescription. Buy valium online without a prescription. Valium prescription online.
Weblog: No prescription valium.
Tracked: Dec 18, 13:31
Buy valium online without prescription.
Valium no prescription.
Weblog: Valium without prescription.
Tracked: Dec 18, 23:39
Tramadol cod.
Cod tramadol cod. Tramadol shipped cod. Tramadol cheap cod. Tramadol cod. Cod overnight tramadol.
Weblog: Buy cheap tramadol tramadol mg quick delivery cod.
Tracked: Dec 19, 08:38
I wouldn't say the RFC is loosely defined:

"In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval."

It also calls for the GET request method to be idempotent:


Idempotent methods are defined in the RFC immediately following the section of safe methods:


I elaborated on this a bit last year:


(I also touched on the SHOULD versus MUST distinction.)

Hope that helps. :-)
#1 Chris Shiflett (Homepage) on 2007-11-11 16:34 (Reply)

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

Hi, I’m Paul Reinheimer, a developer working on the web.

I co-founded WonderProxy which provides access to over 200 proxies around the world to enable testing of geoip sensitive applications. We've since expanded to offer more granular tooling through Where's it Up

My hobbies are cycling, photography, travel, and engaging Allison Moore in intelligent discourse. I frequently write about PHP and other related technologies.